As well as using VirtualHost properly, try: <Limit CONNECT> Deny from all </Limit>
This will block CONNECT HTTP method type. Graham On 26 December 2011 20:54, Graham Dumpleton <graham.dumple...@gmail.com> wrote: > On 26 December 2011 19:33, Jiaguo Fang <jgfang...@gmail.com> wrote: >> Hi Graham, I haven't set any proxies. I will try your advice to add >> only what I really need. > > I was not advising you to only add what you really think you need. > Throwing away the whole file and then adding stuff on top of an empty > file is actually bad practice and I wanted to make sure you were NOT > doing that. > > You should always use the sample Apache configuration file and add on > top of that. > > You should also read up about NameVirtualHost and VirtualHost > directives and properly use them. If you use VirtualHost that may in > itself may solve the problem. It may be the case that CONNECT allows > you to do what you are able to do if VirtualHost not used. > > Graham > >> On Dec 26, 3:48 pm, Graham Dumpleton <graham.dumple...@gmail.com> >> wrote: >>> And if you haven't set them, have you done what I have seen many >>> Windows people do, and even some UNIX people, which is to throw away >>> completely the default Apache configuration and start with an empty >>> file, adding only what you think you need? >>> >>> Doing that to me is a recipe for disaster as you have no idea what the >>> Apache defaults are. One default is that Apache is allowed to serve >>> files from anywhere on a file system if there is some Alias mapping >>> that permits it in some way. >>> >>> Graham >>> >>> On 26 December 2011 18:44, Graham Dumpleton <graham.dumple...@gmail.com> >>> wrote: >>> >>> >>> >>> >>> >>> >>> >>> > What are ProxyRequests and ProxyVia directives set to in Apache config >>> > if defined? Eg: >>> >>> > ProxyRequests On >>> > ProxyVia On >>> >>> > Is the Proxy directive use at all? Eg: >>> >>> > <Proxy *> >>> > Order deny,allow >>> > Deny from all >>> > Allow from internal.example.com >>> > </Proxy> >>> >>> > If you have forward proxy enabled and no VirtualHost, then likely >>> > Apache is accepting any CONNECT to any port. >>> >>> > Open forward proxying is a security risk and when used should be locked >>> > down. >>> >>> > So, this may be an artefact of a insecure Apache configuration. >>> >>> > Graham >>> >>> > On 26 December 2011 17:20, Jiaguo Fang <jgfang...@gmail.com> wrote: >>> >>> >> My develop environment is windows+mod_wsgi 3.3+python 2.7+apache 2.2. >>> >>> >> I have set up apache to listen to 8080 port and use default settings >>> >> for other apache configuration, meaning there is no VirtualHost/ >>> >> ServerName/ServerAlias... >>> >>> >> Here is the settings for wsgi: >>> >> WSGIScriptReloading Off >>> >> WSGIScriptAlias / "E:/eclipse workspace/SubscriptionServer/src/ >>> >> business/dispatcher.py" >>> >> WSGIPythonPath "E:/eclipse workspace/SubscriptionServer/src" >>> >>> >> <Directory "E:/eclipse workspace/SubscriptionServer"> >>> >> Order deny,allow >>> >> Allow from all >>> >> </Directory> >>> >>> >> Now I have met the problem that apache will create interpreters for >>> >> each port accessed by users, as apache logs show below. >>> >> [error.log] >>> >> [Sat Dec 24 22:14:34 2011] [info] mod_wsgi (pid=4956): Create >>> >> interpreter 'myhost.com:8080|'. >>> >> [Sat Dec 24 22:14:34 2011] [info] mod_wsgi (pid=4956): Adding 'E:/ >>> >> eclipse workspace/SubscriptionServer/src' to path. >>> >> [Sat Dec 24 22:14:34 2011] [info] [client 10.27.7.110] mod_wsgi >>> >> (pid=4956, process='', application='myhost.com:8080|'): Loading WSGI >>> >> script 'E:/eclipse workspace/SubscriptionServer/src/business/ >>> >> dispatcher.py'. >>> >> [Sat Dec 24 23:38:41 2011] [info] mod_wsgi (pid=4956): Create >>> >> interpreter 'myhost.com|'. >>> >> [Sat Dec 24 23:38:41 2011] [info] mod_wsgi (pid=4956): Adding 'E:/ >>> >> eclipse workspace/SubscriptionServer/src' to path. >>> >> [Sat Dec 24 23:38:41 2011] [info] [client 110.7.115.125] mod_wsgi >>> >> (pid=4956, process='', application='myhost.com|'): Loading WSGI script >>> >> 'E:/eclipse workspace/SubscriptionServer/src/business/dispatcher.py'. >>> >> [Sun Dec 25 09:04:50 2011] [info] mod_wsgi (pid=4956): Create >>> >> interpreter 'myhost.com:25|'. >>> >> [Sun Dec 25 09:04:50 2011] [info] mod_wsgi (pid=4956): Adding 'E:/ >>> >> eclipse workspace/SubscriptionServer/src' to path. >>> >> [Sun Dec 25 09:04:50 2011] [info] [client 118.161.243.186] >>> >> mod_wsgi (pid=4956, process='', application='myhost.com:25|'): Loading >>> >> WSGI script 'E:/eclipse workspace/SubscriptionServer/src/business/ >>> >> dispatcher.py'. >>> >>> >> [access.log] >>> >> 110.7.115.125 - - [24/Dec/2011:23:38:41 +0800] "GEThttp://gs.163.com/ >>> >> HTTP/1.1" 404 29 >>> >> 118.161.243.186 - - [25/Dec/2011:09:04:50 +0800] "CONNECT >>> >> mail3.xps.idv.tw:25 HTTP/1.0" 404 29 >>> >>> >> As you can see from access log, these two requests will cause apache >>> >> to create 80 and 25 interpreters. I don't know where they come >>> >> from(proxy detecting?). But I can simulate them through telnet. >>> >> telnet myhost.com 8080 >>> >> GEThttp://gs.163.com/ >>> >> CONNECT mail3.xps.idv.tw:25 >>> >>> >> Then when I shut down the apache, no matter how many interpreters it >>> >> creates, it only destroys the 8080 interpreter. This is another odd >>> >> discovery. >>> >> [Sun Dec 25 15:04:01 2011] [info] mod_wsgi (pid=4956): Destroying >>> >> interpreters. >>> >> [Sun Dec 25 15:04:01 2011] [info] mod_wsgi (pid=4956): Destroy >>> >> interpreter 'myhost.com:8080|'. >>> >> [Sun Dec 25 15:04:29 2011] [notice] Parent: Forcing termination of >>> >> child process 234 >>> >> [Sun Dec 25 15:04:29 2011] [info] removed PID file C:/Program >>> >> Files (x86)/Apache Software Foundation/Apache2.2/logs/httpd.pid >>> >> (pid=4608) >>> >>> >> I only want apache to listen to 8080 and create 8080 interpreter and >>> >> prevent others. I believe there are some settings I have missed, >>> >> apache or firewall? But how can I do this? >>> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> >> Groups "modwsgi" group. >>> >> To post to this group, send email to modwsgi@googlegroups.com. >>> >> To unsubscribe from this group, send email to >>> >> modwsgi+unsubscr...@googlegroups.com. >>> >> For more options, visit this group >>> >> athttp://groups.google.com/group/modwsgi?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To post to this group, send email to modwsgi@googlegroups.com. >> To unsubscribe from this group, send email to >> modwsgi+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/modwsgi?hl=en. >> -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to modwsgi@googlegroups.com. To unsubscribe from this group, send email to modwsgi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
